Cyber Trust Blog » Cloud Computinghttp://blogs.microsoft.com/cybertrust
In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidanceThu, 23 Jul 2015 20:44:11 +0000en-UShourly1http://wordpress.org/?v=4.2.3Cloud security controls series: Azure AD Privileged Identity Managementhttp://blogs.microsoft.com/cybertrust/2015/07/23/cloud-security-controls-series-azure-ad-privileged-identity-management/
http://blogs.microsoft.com/cybertrust/2015/07/23/cloud-security-controls-series-azure-ad-privileged-identity-management/#commentsThu, 23 Jul 2015 15:00:27 +0000http://blogs.microsoft.com/cybertrust/?p=30101Read more »]]>Securely managing access to privileged accounts has been a challenge for many of the CISOs I talk to. Many of these CISOs worry that their organizations have too many permanent accounts with high levels of privilege in their environments. Some examples of the threats that keep these people up at night include malicious or rogue administrators, administrator credentials leaked via phishing attacks, administrator credentials cached on compromised systems, user accounts granted temporary elevated privileges that become permanent. More and more organizations are realizing that they have to strictly manage privileged accounts and monitor their activities because of the risk associated with their misuse. But many organizations are struggling to truly embrace the principle of least privilege across their large, complicated environments. I frequently get asked for best practices for managing and monitoring administrator accounts.

Working with privileged accounts in the Cloud is no different; using the principle of least privilege with Cloud resources makes as much sense as it does for on-premise resources. This is an area where Azure AD Privileged Identity Management can help. Azure AD Privileged Identity Management will help you discover the Azure Active Directory privileged administrator roles and the user accounts they are assigned to. It will also enable you to revoke permanent privileged access and provide a mechanism that manages on-demand, time-limited access for Azure Active Directory privileged accounts. This is the “just in time administration” functionality that so many CISOs I have talked to have been looking for. Azure AD Privileged Identity Management also provides reports on administrator access history and changes in administrator user account assignments.

You can get Azure AD Privileged Identity Management in the Azure Preview Portal as seen in Figure 1. Note that you’ll need the Premium edition of Azure to get this feature – yet another important security feature that justifies getting the Premium edition.

Figure 1: In the Azure Preview Portal click “New”, “Security + Identity”, “Azure AD Privileged Identity”; once installed it will appear on the Startboard in the Azure Preview Portal

One feature of Azure AD Privileged Identity Management that I’ll highlight here is the “just in time” administrator functionality that I mentioned earlier. Azure Active Directory enables granular administrative control of resources. Users can be given privileged roles that enable them to do different administrative functions for their organization. Examples of these roles include Global Administrator, Billing Administrator, Compliance administrator, Service Administrator, Password Administrator, User Administrator, and others. Many customers will take advantage of Office 365 workload specific roles such as Exchange Administrator, SharePoint Service Administrator, and Skype for Business Administrator. When managed by Azure AD Privileged Identity Management, user accounts that have these roles assigned to them are essentially non-privileged users until they are activated into their assigned privileged role. When the user needs to perform an administrative activity that requires the privileges that their privileged role provides, they simply start Azure AD Privileged Identity Management in the Azure portal and activate their membership in the role they have been pre-assigned. Now they will be able to perform the administrator function for a limited period of time before the activation expires. Figure 2 is an example of the privileged account activation process in Azure AD Privileged Identity Management.

This process provides a few important advantages over the standard administrative model. First, it helps minimizes the number of accounts that have standing administrator privileges. The fewer administrators surfing the Internet and reading email, using privileged credentials, the better. The second advantage of this approach is that it minimizes the amount of time that privileged accounts are active – they are only used when they need to be used and are otherwise dormant. This makes an audit trail that has less noise and that can actually be used to understand when and how privileged accounts were used. Another big advantage of this approach is that it provides an excellent place to enforce multi-factor authentication that will help mitigate the risk of leaked administrator credentials. Forcing users to use multi-factors to authenticate when they need to activate their privileged roles also provides a level non-repudiation that helps manage the “insider threat” scenario that so many of the CISOs I talk to worry about. If administrators know they are being monitored and their activities are being logged and are easy to audit, they are less likely to take liberties or be sloppy with the privileged credentials they have been entrusted with.

Figure 2 (left): I activated my role as a Security Administrator in Azure AD Privileged Identity Management which gave me the privileges of that role for 50 minutes; Figure 3 (right): each privileged role has settings that can be configured that define the activation duration, whether to automatically send notifications on activation, and whether to require multi-factor authentication for activation

Azure AD Privileged Identity Management has a lot more functionality than I covered here; the Azure team has published some good resources so that you can learn more:

]]>http://blogs.microsoft.com/cybertrust/2015/07/23/cloud-security-controls-series-azure-ad-privileged-identity-management/feed/0Cloud security controls series: Multi-factor Authenticationhttp://blogs.microsoft.com/cybertrust/2015/07/20/cloud-security-controls-series-multi-factor-authentication/
http://blogs.microsoft.com/cybertrust/2015/07/20/cloud-security-controls-series-multi-factor-authentication/#commentsMon, 20 Jul 2015 21:40:35 +0000http://blogs.microsoft.com/cybertrust/?p=29813Read more »]]>Recently I wrote an article on the risk of leaked credentials in which I discussed how credentials are stolen in bulk directly from organizations’ websites. As illustrated in Figure 1, during the eight months between November 2013 and June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a small fraction of the credentials that are traded in forums and specialized websites on less publicly accessible spaces on the Internet that cater to the illicit trade in stolen credentials. This problem is amplified in cases where victims have used the same credentials for access to multiple different service accounts on the Internet. Additionally, many of the high profile network compromises you have heard about over the past several years all had a phishing component in the attack. In many cases someone with a valid user name and password was tricked into disclosing those credentials in a phishing attack that subsequently provided attackers with a way into their infrastructure. Figure 2 illustrates that SmartScreen Filter reported 10.2 phishing attempts per 1,000 unique IP addresses in June 2014. Computers in Western Europe were disproportionately affected by phishing attempts. Four of the 10 locations reporting more than 20 phishing impressions per 1,000 unique IP addresses in June 2014 were in Western Europe: Italy (35.0), France (27.3), Belgium (26.1), and Spain (23.4). Other locations reporting high rates of phishing impressions include Venezuela (24.9) and South Africa (22.0).

In a world where hundreds of millions of leaked credentials are bought and sold regularly, and phishing attacks are so common and effective, many of the CISOs I talk to have come to the conclusion that passwords, even complex passwords and passphrases, by themselves are no longer sufficient to protect many of the resources that they are entrusted with. After all, even if all the passwords and passphrases meet all of their organization’s password complexity requirements, if attackers have a massive list of leaked credentials they can use to find valid credentials in, the complexity of those credentials isn’t really a mitigating factor for that type of risk. Most of the CISOs I have talked to have implemented or plan to implement some form of multi-factor authentication as a control that helps mitigate some of these attacks. Multi-factor authentication adds one or more factors to the authentication process so that in addition to something the user knows (a password or pin), successful authentication also relies on something the user has (like a token generator, a smartcard, a specific device or application) or something the user is (biometrics like facial recognition or using iris or fingerprint scans). These additional factors make it harder for attackers to use leaked or stolen credentials to gain illegal access to systems. Security professionals use multi-factor authentication to help manage authentication in many on-premise scenarios including logging into Windows and authenticating to Active Directory, VPN, Direct Access, Exchange, Terminal Services, web applications, etc. In some cases multi-factor authentication helps organizations meet their compliance requirements.

When I have conversations about Microsoft’s Cloud services with customers, one of the first security controls I get asked about is multi-factor authentication. Naturally, security professionals that have implemented multi-factor authentication in their on-premise environments want to know they have the option to also use it to help protect users, data, and applications in the Cloud. Multi-factor authentication is available for Microsoft Cloud services and there are several configuration options to choose from depending on the service and assets you are trying to protect. Some of these options include Multi-factor Authentication for Azure Administrators, Azure Multi-factor Authentication, and Azure Multi-factor Authentication Server, Multi-factor Authentication for Office 365.

Azure Multi-factor Authentication is the multi-factor authentication service for Azure Active Directory. It helps to protect whatever assets you have protected with Azure Active Directory authentication including Cloud applications like Microsoft Office 365, OneDrive for Business, and Windows Intune. It can also be used to protect applications you develop on-premise as well as the thousands of SaaS applications available through Azure’s Application Gallery (screen shot in Figure 3), thus providing a more secure, single sign-on experience for people in your organization.

Figure 3: A screen shot of the Azure Application Gallery in the Azure portal, currently with 2,494 popular SaaS applications available

When enabled, Azure Multi-factor Authentication can be configured to require users to use a mobile app, phone call, or text message after entering a valid password when authenticating to Cloud-based or on-premise applications. You can enforce multi-factor authentication on individual users or on specific applications. For example, let’s say your organization had a corporate LinkedIn account. You can provide access to that application to specific users in your organization via Azure Active Directory so they can access it via the app access panel at http://myapps.microsoft.com/. You could enforce multi-factor authentication for specific users so they have to use multiple factors when they logon to the app access panel or when they launch LinkedIn in the app access portal. Figure 4 illustrates how this is configured. in the configuration settings for that application, I had the option to require multi-factor authentication for the users of that application or any of the other applications I have added in my Azure Active Directory.

Figure 4: How the Azure administrator adds the LinkedIn app to Azure Active Directory Applications in the Azure Portal and configuring multi-factor authentication, so that users can access the application from the Azure app access panel

Figure 5: A user logs into the Azure app access panel and sees they have been given access to the LinkedIn application; when the user launches LinkedIn from the Azure app access panel for the first time after multi-factor authentication has been enabled on the application, the user is prompted to set up the second factor for use in authentication after they successfully authenticate with their user name and password; the user can select the method they want to use for a second factor; the user selected “Mobile app” in this example and has some configuration options available; instructions are then presented to help the user install the mobile app on their smartphone – essentially installing the multi-factor authentication app from the appropriate app store and scan the barcode

You can enable the multi-factor authentication service for on-premises applications by using Azure Multi-factor Authentication Server that can be downloaded from the Azure Portal, as seen in Figure 7. Multi-Factor Authentication for Azure Administrators allows every administrative account of an Azure subscription to be protected by multi-factor authentication. So even if your organization decides not to implement multi-factor authentication for all users, the organization’s Azure administrators have the option to enable it for their accounts.

One tip about multi-factor authentication providers in Azure, as illustrated in Figure 8. You only need to configure a multi-factor authentication provider if you aren’t getting Azure Multi-factor Authentication as part of the service you are using. If you are using Azure Active Directory Premium edition or Office 365 or Multi-Factor Authentication for Azure Administrators, then Azure Multi-factor Authentication is provided for free as part of these offerings. If you plan to use Azure Multi-factor Authentication as a stand-alone service, then you’ll have to create a multi-factor authentication provider to pay for that service. If you create a multi-factor authentication provider when you don’t really need to, you’ll likely pay for Azure Multi-factor Authentication when you don’t really need to – so ensure you need a multi-factor authentication provider before you create one.

Figure 8: Multi-factor Authentication Providers found in the Azure portal under the Active Directory in the left navigation bar, then click the “MULTI-FACTOR AUTH PROVIDERS” tab

As I mentioned earlier, many of the enterprise customers I talk to have already invested in on-premise identity management solutions to meet specific security or compliance objectives they have. They use technologies such as Active Directory Federation Services (AD FS), certificate based authentication, physical smart cards or virtual smart cards. Both Microsoft and third-party authentication methods are available in Windows Server 2012 R2 AD FS. For example, using Windows Server 2012 R2 on-premise, once installed and registered with AD FS, you can enforce multi-factor authentication as part of the global or per-relying-party authentication policy. There are a bunch of providers with multi-factor authentication offerings available for AD FS in Windows Server 2012 R2. Currently these include offerings from Gemalto, inWebo Technologies, Login People, RSA, SafeNet, Swisscom and Symantec. Microsoft Azure Multi-factor Authentication will also work in this scenario. More background information long with the steps to do this are available: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

Figure 9: An illustration of how Azure Multi-factor Authentication Server can be integrated to manage authentication requests from on-premise applications

Figure 10 (left): Installing the AD FS Adapter in the Azure Multi-factor Authentication Server after it has been installed and activated; Figure 11 (right): Configuring the AD FS Global Authentication Policy to use Azure Multi-factor Authentication

There are a bunch of other resources available related to using AD FS multi-factor authentication:

For Office 365, multi-factor authentication can be used to protect both Office 365 administrative accounts and Office 365 user accounts. Multi-factor Authentication for Office 365 is powered by Azure Multi-factor Authentication, and works exclusively with Office 365 applications and is managed from the Office 365 portal. It’s available for all the different SKUs of Office 365. Once enabled, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied does the user get access to Office 365 resources. The Office 365 team has published some great articles and videos that you can use to learn more about Multi-factor Authentication for Office 365:

As you can see, you have several options that make it easy to enable multi-factor authentication to help protect administrator and user credentials used to access on-premise applications, Office 365 applications, Azure-based applications, and thousands of third party Cloud SaaS applications.

]]>http://blogs.microsoft.com/cybertrust/2015/07/20/cloud-security-controls-series-multi-factor-authentication/feed/0Cloud security controls series: Azure Active Directory‘s Access and Usage Reportshttp://blogs.microsoft.com/cybertrust/2015/07/13/cloud-security-controls-series-azure-active-directorys-access-and-usage-reports/
http://blogs.microsoft.com/cybertrust/2015/07/13/cloud-security-controls-series-azure-active-directorys-access-and-usage-reports/#commentsMon, 13 Jul 2015 16:39:03 +0000http://blogs.microsoft.com/cybertrust/?p=29683Read more »]]>Over the past several months I have had many, many conversations with business customers and governments about the security benefits of Microsoft’s Cloud service offerings. This video from the RSA Conference earlier this year will give you an idea of the types of topics we have been discussing with customers. These conversations have increasingly become less about whether the Cloud can be trusted, and more about the innovative security and privacy features and functionality that are being constantly introduced into Microsoft’s Cloud services. Many of the CISOs and CIOs I have talked to recently have come to the conclusion that their own datacenters will not keep pace with the level of innovation that they see happening in Microsoft’s Cloud services.

Subsequently I thought it was a great time to write a series of articles focused on some of the security features and functionality built into Microsoft’s Cloud services. Since most of the conversations I have been having with customers have been about controls in Office 365 and Microsoft Azure, specifically Infrastructure as a Service (IAAS), these articles will focus on security controls in these areas.

To get an idea of the type of innovation I’m talking about, in a security context, simply peruse Azure Active Directory‘s access and usage reports. Figure 1 below is a screenshot of Active Directory‘s access and usage reports in the Azure portal. To get to this place in the Azure portal simply click on “Active Directory” in the left-hand navigation bar, then click on the active directory in the list you want to get reports on, and then click on “REPORTS” tab.

Figure 1: Azure Active Directory‘s access and usage reports

Typically when CISOs see this list for the first time, they get very interested in learning more about these reports. In order for you to get access to all the same reports that you see in Figure 1, you need the Premium edition of Azure Active Directory. You can get information on the different editions of Azure Active Directory here. Some of these reports are available in the free edition of Azure Active Directory, and thus available as part of every Azure subscription. Some examples of reports that are available in the free edition of Azure Active Directory include “Sign ins from unknown sources”, “Sign ins after multiple failures”, and “Sign ins from multiple geographies”. As I mentioned, some of the other reports seen in Figure 1 require the Premium edition of Azure Active Directory including “Sign ins from IP addresses with suspicious activity”, “Anomalous sign in activity”, “Sign ins from possibly infected devices”, and others. You can see the current list of reports and which edition of Azure Active Directory they are available in, here.

I have written a couple of articles that will give you more details on some of these reports and why they are potentially so valuable:

Each report in Figure 1 can be downloaded in comma separated value (CSV) format for archiving or further analysis. An example of a file that has been downloaded from the Azure portal is provided in Figure 2.

Figure 2: Example audit report downloaded from the Azure Portal

There are also activity reports for users and groups available. This makes it possible for your organization’s Azure administrators to review sign in activity for users; this report includes information like the application the user signed into, the type of device the user used, the device’s IP address, and the location the sign in was from. Figure 3 is an example of a user activity report. To get to this report in the Azure portal simply click on “Active Directory” in the left-hand navigation bar, then click on the active directory in the list you where the user account resides that you want to get an activity report on, then click on the “USERS” tab, then click on the user in the list you’d like to review activity for, then click the “ACTIVITY” tab.

Most of the CISOs I talk to tell me that they really don’t want yet another console or “pane of glass” to search for useful information in. Many of them already have numerous consoles for anti-malware software, IDS/IPS solutions, patch management, and in some cases one or more Security Information and Event Managers (SIEMs). There are a couple of additional features that will help security professionals that are in this category. Email notifications are automatically sent to all of the global admins associated with your Active Directory when it encounters 10 or more anomalous sign in events within a span of 30 days or less. This email will be sent from aad-alerts-noreply@mail.windowsazure.com. This feature is enabled by default – you can see this setting by clicking “Active Directory” in the left-hand navigation bar, then click on the active directory in the list you want to check the setting on, and then click on “CONFIGURE” tab. The setting is called “Email Notification of Anomalous Sign Ins” as seen in Figure 4.

Another useful bit of functionality that will help reduce the number of consoles security staff need to monitor is the Azure AD Reporting API. This API gives you the ability to programmatically export the data in these reports so that they can be consumed by your SIEMs and other data collection and analytics software. The Azure Active Directory team has provided a sample PowerShell script that illustrates how to access data from any of the available reports in JavaScript Object Notation (JSON), Extensible Markup Language (XML) and text formats. You can get more information on the REST APIs that provide read-only access to the Azure AD access and usage reporting data from this page on MSDN. There is also a whitepaper available called Microsoft Azure Security and Audit Log Management that contains more details on generating and collecting security logs from services that are deployed in Azure.

Figure 5: Output from a PowerShell script that I used to access events in the Audit Events report in my Microsoft Azure subscription’s Azure Active Directory

One of the reasons many CISOs get excited about these reports is that they don’t have similar capabilities in their on-premise environments or have to pay for a third party service to provide something similar. These reporting capabilities are built into the Microsoft Azure platform; so whether you are running applications based on the Azure platform (PaaS) or running your own virtual machines in Azure (IaaS) you’ll have the option of using these reports to help spot potential security issues.

The Risk of Leaked Account CredentialsOne scenario that has unfortunately become all too common is where account credentials are stolen in bulk by criminals through website breaches. Credentials are also unwittingly provided directly by the victims themselves through phishing attacks, or harvested from systems that are infected with malware. As we reported in the Microsoft Security Intelligence Report volume 17, account credentials that are stolen in bulk directly from organizations’ websites contribute a significant amount to the trade in stolen credentials. As part of its customer account protection operations during the period from November 2013 to June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a small fraction of the credentials that are traded in forums and specialized websites on less publicly accessible spaces on the Internet that cater to the illicit trade in stolen credentials.

Figure 1: Number of publicly posted website credential thefts, per month, from November 2013 to June 2014

Figure 2: Number of stolen credentials from publicly-posted credential thefts, per month, from November 2013 to June 2014. The spike in February represents includes the public posting of 1 million hashed credentials that had been stolen from Forbes[1]

In addition to attacks on websites, a substantial number of the illicit account credentials trade is provided by devices infected with malware.

Figure 3: Trends for the most commonly encountered password stealers in the 1st half of 2014

Security Mitigations in Microsoft’s Cloud Services that can HelpLast November I wrote about a unique capability built into Azure Active Directory Premium that allows customers to identify devices that have been compromised with some of the worst professionally managed threats on the Internet, and are attempting to sign into Azure based applications. This information allows customers to identify and remediate infected systems in their environments quickly.

This week the Microsoft Identity and Security Services Division announced yet another new security report feature is now in preview that helps protect Azure Active Directory Premium customers from the risk associated with leaked credentials.

Figure 5: The new “Users with leaked credentials” report in the Azure management portal surfaces any matches between the leaked credentials lists that Microsoft discovers posted publically and your tenant

Another security mitigation that can help to mitigate the risk of leaked credentials is multi-factor authentication. Typically, a user presents something they know, like their secret password, as proof of authenticity. The basic idea behind multi-factor authentication is for the user to present one or more additional proofs based on something they have, like a device for example, or something they are, such as a fingerprint or retinal scan.

Microsoft Azure and Office 365 already have multi-factor authentication support to help you manage this risk. You can get more details here: Azure Multi-Factor Authentication.

Many of the customers I talk to that manage on-premise environments have implemented some form of multi-factor authentication that helps protect their user accounts. But only a few customers I have talked to look for lists of leaked credentials and test them against their on-premise directory services. I suspect that the new “users with leaked credentials” report will be of high interest to many customers in a world where credential leakage and theft have become so commonplace.

I was in Silicon Valley recently speaking at another Transparency & Trust in the Cloud event. Thank-you very much to all the customers that made time to join us at the Microsoft campus in Mountain View, California! This was another very well attended event with numerous large enterprise customers located in the vicinity in attendance.

Like all the Transparency and Trust events prior to this one, I learned from the attendees what their expectations are for a Cloud Service Provider when it comes to security, privacy and compliance. We had several lively discussions on a range of topics. These are some of the themes that emerged during our discussions:

How do customers move data from existing on-premise applications into new applications in the Cloud?

What compliance artifacts does Microsoft provide to its Cloud customers?

Does Microsoft provide architectural diagrams of what its cloud services look like to its customers?

What process does Microsoft use for incident response in the Cloud?

My next stop on this tour is San Diego on April 14th and there are still a few other opportunities to learn more about Microsoft’s approach to building the industry’s most trustworthy Cloud. Please refer to the Transparency & Trust Series event schedule. As always, your Microsoft account team is available if you have any questions about these events.

]]>http://blogs.microsoft.com/cybertrust/2015/04/28/transparency-trust-in-the-cloud-series-mountain-view-california-2/feed/0A cornerstone to trust in technology – compliance – proves foundational as more U.S. government organizations adopt cloud serviceshttp://blogs.microsoft.com/cybertrust/2015/04/13/a-cornerstone-to-trust-in-technology-compliance-proves-foundational-as-more-u-s-government-organizations-adopt-cloud-services/
http://blogs.microsoft.com/cybertrust/2015/04/13/a-cornerstone-to-trust-in-technology-compliance-proves-foundational-as-more-u-s-government-organizations-adopt-cloud-services/#commentsMon, 13 Apr 2015 17:11:14 +0000http://blogs.microsoft.com/cybertrust/?p=28401Read more »]]>Government agencies want the economic benefits of cloud computing, but this alone isn’t always enough to make the case for change. To move forward, decision makers want to understand the security, privacy and compliance commitments of their cloud service provider. We continue to track and complete a number of attestations and compliance certifications, confirming controls are in place that help enable cloud solutions for government organizations. And, while compliance represents a necessary set of requirements for many governments prior to Cloud adoption, customers also tell us that these investments are helping increase IT security and are therefore integral to decision-making.

One recent example in the United States, is the Criminal Justice Information System (CJIS), a division of the U.S. Federal Bureau of Investigation that operates systems to provide state, local, and federal law enforcement, and criminal justice agencies, with access to criminal justice information. In April, the California Department of Justice confirmed that Microsoft Azure Government cloud solutions complied with CJIS standards for handling criminal justice information in the cloud. In addition to the State of California, Microsoft has signed CJIS agreements for Office 365, Azure, or Dynamics CRM Online in 11 states, including Texas, Michigan, Kansas, and Pennsylvania, and more are still to come.

To outline how U.S. government IT departments are using the cloud to become more secure, we’ve also produced an infographic. For U.S. government entities who want to learn more about the cloud in general, and the cloud services available today, I encourage a visit to our dedicated site.

Obtaining new certifications or updating current ones can be a complicated task. Whether CJIS requirements, FedRAMP, IRS 1075, or HIPAA, organizations rely on their cloud service provider to adhere to these requirements as well as provide the tools necessary to confirm compliance. If you’re interesting in learning more about what we’re doing in the area of compliance, the Azure Trust Center, the Office 365 Trust Center and the Dynamics CRM Trust Center all provide summary level and detailed information.

]]>http://blogs.microsoft.com/cybertrust/2015/04/13/a-cornerstone-to-trust-in-technology-compliance-proves-foundational-as-more-u-s-government-organizations-adopt-cloud-services/feed/0Transparency & Trust in the Cloud Series: Omaha and Des Moineshttp://blogs.microsoft.com/cybertrust/2015/04/08/transparency-trust-in-the-cloud-series-omaha-and-des-moines/
http://blogs.microsoft.com/cybertrust/2015/04/08/transparency-trust-in-the-cloud-series-omaha-and-des-moines/#commentsWed, 08 Apr 2015 19:15:36 +0000http://blogs.microsoft.com/cybertrust/?p=28351Read more »]]>I was in Omaha and Des Moines last week speaking at more Transparency & Trust in the Cloud events. The events in Omaha and Des Moines were very well attended; thank you very much to all the customers that made time to join us. The feedback from the CIOs, CISOs, attorneys, and IT professionals that attended has been very positive.

Dennis Garcia, Assistant General Counsel from Legal and Corporate Affairs at Microsoft talking with customers at the Transparency & Trust in the Cloud Series event in Des Moines

I learn from the customers attending these events as much as they learn from the speakers. The themes that emerged during the conversations in Omaha and Des Moines included:

Is Microsoft’s plan to get every compliance certification and attestation possible in every country/region where it does business?

Does Microsoft sign Business Associate Agreements?

How does Microsoft help its customers during incident response investigations?

What are best practices for managing crisis communications during and after a breach?

What is Microsoft doing to help governments craft public policy for cybersecurity?

My next stops on this tour are Mountain View on April 16th, and San Diego on May 14th. If you are an enterprise customer and would like to learn more about Microsoft’s approach to building the industry’s most trustworthy Cloud, check out the current Transparency & Trust in the Cloud event schedule and please reach out to your account team to find out if one of these events is coming to your area in the future.

I’m also speaking at the RSA Conference 2015 in San Francisco on April 21st – if you are attending the conference, please check out some of the Microsoft sessions.

California here I come!

]]>http://blogs.microsoft.com/cybertrust/2015/04/08/transparency-trust-in-the-cloud-series-omaha-and-des-moines/feed/0RSA Conference 2015: Enhancing Cloud Trusthttp://blogs.microsoft.com/cybertrust/2015/03/31/rsa-conference-2015-enhancing-cloud-trust/
http://blogs.microsoft.com/cybertrust/2015/03/31/rsa-conference-2015-enhancing-cloud-trust/#commentsTue, 31 Mar 2015 17:01:33 +0000http://blogs.microsoft.com/cybertrust/?p=28233Read more »]]>RSA Conference USA 2015 is just a few weeks away (April 20-24) in San Francisco. Given the numerous noteworthy cybersecurity events that have occurred over the last 12 months, I expect this conference to be well attended, yet again!

Once more, Microsoft is a Diamond sponsor, and Scott Charney, Corporate Vice President, Trustworthy Computing, will deliver a keynote at the conference. His keynote, entitled “Enhancing Cloud Trust,” will be delivered Tuesday, April 21st at 8:50 AM PT.

On Tuesday, April 21st at 1:10 PM PT, I will be delivering a speaker session, “Exploitation Trends: from potential risk to actual risk” as part of the Breaking Research track. Microsoft researchers have studied some of the exploits discovered over the past several years and the specific vulnerabilities in Microsoft software that were targeted. The goal of this of study is to understand which vulnerabilities are exploited, who exploits them, the timing of exploitation attempts relative to when security updates are available, and how these vulnerabilities were introduced into code. These findings are key in helping security professionals more accurately assess the risk vulnerabilities pose.

I’m excited to be joined by two exploit researchers Matt Miller, Principal Security Software Engineer from the Microsoft Security Response Center and David Weston, Principal Program Manager from the Microsoft One Protection Team. Together, we will be discussing the long-term trend data and our brand new research.

And finally, we will examine how exploits are monetized through exploit kits that are sold as commercial software or as a service as well as development practices that can help minimize such vulnerabilities.

There are several Microsoft speakers at the conference this year; below is a full list of their sessions.

Microsoft is also hosting a booth on the expo floor where we will host a number of theater sessions. To find session descriptions and times, as well as details on the Microsoft party (Wednesday, April 22nd, 8:00 PM PT), please visit http://rsa2015.microsoft.com.

One other session that I think you should check out is being delivered by a longtime colleague, Nicole Miller, Senior Vice President, Cybersecurity & Issues Management, Waggener Edstrom. Nicole has been working with companies on cybersecurity for many years, and it’s a rare treat to hear her speak in public. Her session is called “From the Battlefield: Managing Customer Perceptions in a Security Crisis” and is scheduled on Tuesday, April 21, 2015 at 3:30 PM PT.

I hope to see you at the conference!

]]>http://blogs.microsoft.com/cybertrust/2015/03/31/rsa-conference-2015-enhancing-cloud-trust/feed/0VOTE for Microsoft Crowdsourced RSA Sessionshttp://blogs.microsoft.com/cybertrust/2015/03/18/vote-for-microsoft-crowdsourced-rsa-sessions/
http://blogs.microsoft.com/cybertrust/2015/03/18/vote-for-microsoft-crowdsourced-rsa-sessions/#commentsWed, 18 Mar 2015 21:44:05 +0000http://blogs.microsoft.com/cybertrust/?p=28213Read more »]]>RSA Conference is trying something a little different this year to form a full track of sessions that are voted on directly by you. Anyone can vote, but registered delegate votes count a bit more. Microsoft has proposed seven additional sessions – so click on the title below and vote!

I had the opportunity to speak at three additional Transparency & Trust in the Cloud events last week in Cincinnati, Cleveland, and Detroit. These were the latest in the series that Microsoft is hosting, inviting customers to participate in select cities across the US.

For me personally, these events provide the opportunity to connect with customers in each city and learn which security and privacy challenges are top of mind for them. In addition, I get to hear first-hand, how customers have been using the Cloud to drive their businesses forward, or, if they haven’t yet adopted Cloud services, what’s holding them back. I feel very fortunate as the participating CIOs, their in-house lawyers, CISOs, and IT operations leaders haven’t been shy about sharing the expectations they have for prospective Cloud Providers, specifically around security, privacy, and compliance.

I was joined by other Microsoft Cloud subject matter experts: Microsoft’s Assistant General Counsel, Dennis Garcia, Principal IT Solution Manager, Maya Davis, Director of Audit and Compliance, Gabi Gustaf, and Cloud Architect, Delbert Murphy. This diverse cast helped provide an overview of the Microsoft Trustworthy Cloud Initiative from their unique perspectives and answer a range of technology, business process, and legal questions from attendees.

Here are just some of the types of questions these events garner, most recently in these three cities:

What data does Microsoft share with customers during incident response investigations?

Which audit reports does Microsoft provide to its Cloud customers?

What terms does Microsoft include in its Cloud contracts to help customers manage regulatory compliance obligations in EU nations?

What does the new ISO 27018 privacy certification that Microsoft has achieved for its four major Cloud solutions provide to Microsoft’s Cloud customers (and Microsoft is the only major Cloud provider to achieve ISO 27018 certification)?

These are great conversations! Thank you to all of the customers that have attended and participated in recent events.

There are still a few more scheduled in different cities across the country. If you are a customer and would like to learn more about the Microsoft approach to building the industry’s most trustworthy Cloud, please reach out to your account team to find out if one of these events is coming to your area.

I’m looking forward to seeing customers in Omaha and Des Moines in just a couple of weeks.